-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Claims contain an instance of java.net.URL and are used in hash-based containers #10673
Comments
Thanks for the report @jyrimatti. This will be a breaking change so I've scheduled it for I think the required change is to ensure the Would you be interested in submitting a PR for this? |
Yes, sure, I can submit one. Just to make sure: Are you certain this fix is enough? java.net.URL is not deprecated and I guess it's never going to be, but as https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4434494 says:
Thus, another possibility (?) would be to change |
@jyrimatti Take a look at the OpenID Connect Core 1.0 spec, in section 2. ID Token:
The The only change required is what I proposed in previous comment - either Another possible solution is to change the |
Ok, sure. |
java.net.URL performs DNS lookups whenever its equals/hashCode is used. Thus attribute values of type java.net.URL need to be converted to something else before they are used for equals/hashCode. Closes spring-projectsgh-10673
Hi,
class
org.springframework.security.oauth2.core.user.OAuth2UserAuthority
includes itsattributes
for the calculation ofhashCode
andequals
.In case of
org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority extends OAuth2UserAuthority
those attributes come fromorg.springframework.security.oauth2.core.oidc.OidcIdToken
andorg.springframework.security.oauth2.core.oidc.OidcUserInfo
viaorg.springframework.security.oauth2.core.oidc.user.OidcUserAuthority.collectClaims(OidcIdToken, OidcUserInfo)
function. It seems that due to https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java#L101 whenever (always?) the claims contain aorg.springframework.security.oauth2.core.oidc.IdTokenClaimNames.ISS
, it is there as an instance of classjava.net.URL
.This is a problem, since due to historical reasons, URL performs DNS lookups whenever its equals/hashCode is used. Instances of URL must not be used in any containers requiring use of equals/hashCode.
A simple solution would be to change it to be an instance of
java.net.URI
. Would this break something? I didn't craft a pull request since I have no idea if this kind of change would be a major breaking change for spring-security...?The text was updated successfully, but these errors were encountered: